Silver Bullet podcast: Gary McGraw discusses the evolution of software security, the BSIMM, the CISO report, and the future of IoTDecember 2018

Dr. Gary McGraw is a globally recognized authority on software security and the author of eight best-selling books on the topic. His titles include "Software Security," "Exploiting Software," "Building Secure Software," "Java Security," "Exploiting Online Games," and six other books, and he is the editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written more than 100 peer-reviewed scientific publications. Besides serving as a strategic counselor for top businesses and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). His dual Ph.D. in cognitive science and computer science is from Indiana University, where he serves on the Dean's Advisory Council for the School of Informatics. He launched and has produced the monthly Silver Bullet Security Podcast since April 2006.

Listen as Taylor Armerding and Gary discuss how Gary came to Cigital and how the company's mission and Gary's role evolved over the years. They talk about software security during the "Java Security" era and whether things have gotten better or worse since the launch of the software security industry. Gary explains some of the touch points he introduced in "Software Security" and how they apply to all software development methodologies, and they explore the origins of the BSIMM, the CISO report, and the Silver Bullet Security Podcast. Finally, Taylor asks Gary about what the future holds for software security, especially across the ever-expanding Internet of Things, and for Gary after he departs from Synopsys.

Elias Levy, a.k.a. Aleph
One,
is a distinguished engineer in Cisco's Security Business Group, where he works on big data and cloud technologies in support of endpoint security. Previously he was senior technical director for Symantec's Security Technology and Response organization. He was also CTO of SecurityFocus in the late '90s. Elias was the moderator of the mailing list Bugtraq from May 1996 until he stepped down in October 2001, and he was the author of "Smashing the Stack for Fun and Profit," which was published in Phrack 49. Elias served as department editor for IEEE's S&P magazine's Attack Trends and Malware Recon departments. He's also an avid scuba diver, and he lives in the Bay Area in California with his family.

Listen as Gary and Elias discuss how Elias got started in software security 25 years ago and wrote "Smashing the Stack" about stack buffer overflows. They talk about whether we've made enough progress in security since then, and Elias shares his optimistic views on security in areas such as architecture, languages, and platforms. Gary asks Elias what he thinks about fixing problems in broken programming languages versus fixing the languages themselves, and about his current views on the "full disclosure" debate that surrounded Bugtraq. Elias explains his "trajectory" patent as it relates to computer security and technology inventory and how it helps to be imaginative in the field. Finally, Gary and Elias discuss what computer security will look like in 25 years.

Meera Rao is a senior principal consultant and the director of the secure development practice at Synopsys Software Integrity Group. She has over 20 years of experience in software development in a variety of roles, including lead developer, architect, project manager, and security architect. Before joining Synopsys through acquisition two years ago, Meera worked as a consultant at Cigital for over 10 years. Meera knows software security intimately and specializes in many touchpoints, including code review, static analysis implementation, architectural risk analysis, secure design, and threat modeling. Lately, she's turned her attention to DevOps and is leading efforts to tame that technology at Synopsys. Meera lives in Burtonsville, Maryland, with her husband and daughter, an aspiring orthopedic surgeon in her fourth year of medical school at Duke.

Listen as Gary and Meera discuss the advantages of coming to software security with a development background and the difficulties of dealing with security-related design flaws (as opposed to bugs). They talk about how to scale experience- and expertise-driven skills such as architecture risk analysis and why automation, for all its benefits, can fall flat. Gary asks Meera about the biggest danger of DevOps. They also discuss BSIMM9 and how software security has been and will be impacted by orchestration technology. Finally, Meera shares her professional mentoring experiences and some of the challenges still faced by women in tech.

Filippo Valsorda is a cryptographic engineer building and breaking systems in Go. He works at Google on the Go Open Source project, where he owns the Go cryptography standard libraries. Previously, at Cloudflare, he worked on TLS 1.3 and DNSSEC. He's best known for his 2014 Heartbleed vulnerability test. Filippo grew up in Milan, where he earned a scientific high school degree in 2013. In 2009 he participated in the World Math Games Championship as part of the Italian team, and in 2013 he won a bronze medal in the Italian Mathematical Olympiad. Filippo currently lives in New York City.

Listen as Gary and Filippo discuss the contrastive roles that static and dynamic languages play in software security. They talk about whether cryptographic implementations are getting better or worse and how cryptography has changed in the last decade. Filippo explains the biggest challenge of creating a cryptography library and his approach to breaking/attacking cryptography. Gary asks Filippo about how much people should worry about open source security, the unsettling world of blockchain and cryptocurrency, and finally, how Filippo accomplished the speed and scale of his Heartbleed test.

Brittany Postnikoff is a graduate student in the Cryptography, Security, and Privacy Lab at the University of Waterloo. She researches the interplay between robots and social engineering to predict and mitigate the negative impact of social robots on security and privacy. As an undergrad at the University of Manitoba, she focused on human-robot interaction. Her work on robot skiing won first prize at the Humanoid Applications Challenge of the International Conference on Robotics and Automation in 2015. Brittany has given talks at ShmooCon, Troopers, Black Hat, and DEF CON. She holds diplomas in business administration and business IT from Red River College and is working on a master's degree at Waterloo, in Canada.

Listen as Gary and Brittany discuss robotics, maker culture, and the hands-on nature of learning. They closely examine the security and privacy problems that robots introduce -- including the ethical implications and built-in biases of human-robot interactions. Don't miss their discussion of robot vulnerability today and find out how vulnerable off-the-shelf robots really are.

Gøran Breivik is the CSO and chief privacy officer of the municipality of Bergen, Norway, the second-largest city in Norway, with a population approaching 300,000. After a brief stint in the army, Gøran was a consultant and programmer for a number of organizations. He's an early adopter and active participant in software security in the Nordics. He organized the ROOTS Conference for a decade, started and ran the Bergen Job and User Group for four years, and served on the board of the regional Norwegian Computer Society for two. More recently, Gøran has focused on building security in at the workplace, while his purview has expanded into privacy as GDPR sweeps the world. Gøran has a degree in information science from the University of Bergen and holds a CISSP. He lives in Bergen with his wife, Anne, and two teenage boys.

Listen as Gary and Gøran discuss what it's like to work for a city government and how to align the city's goals with software security. They also examine how to get the city to pay attention to security along with all other focus areas, including GDPR, the challenges of digitalization, and how to work with the city to set a budget as you address security and privacy goals and concerns.

Kathleen Fisher is a professor and Chair of the Tufts Department of Computer Science. Previously, Dr. Fisher was a Program Manager at DARPA, where she started and managed HACMS and PPAML. She also has been a Faculty Member at Stanford, and a Principal Member of the Technical Staff at AT&T Labs Research. Kathleen's research focuses on advancing the theory and practice of programming languages. Recently she's been exploring synergies between machine learning and programming languages with an emphasis on building more secure systems. Dr. Fisher is an ACM Fellow. She's a recipient of the SIGPLAN Distinguished Service Award, vice-chair of DARPA's ISET Study Group and a Trustee at Harvey Mudd College. Kathleen holds a B.Sc. in math and computer science, and a Ph.D. in computer science from Stanford. She lives with her husband in Cambridge, Massachusetts. Her daughter Elaine is in grad school.

Listen as Gary and Kathleen discuss scientific research versus hacking "research," programming languages and software security, hacking (or not hacking) autonomous helicopters at DARPA, why machine learning looks pretty similar to how it looked 25 years ago, and more.

Nicholas Weaver joined ICSI as a postdoctoral fellow in 2003. The following year he was hired as a senior staff researcher where he continues to conduct research on network security and measurement, worms, botnets, and other internet-scale attacks. He received his bachelor's degree in astrophysics and computer science in 1995 from UC Berkeley. He also earned his Ph.D. in computer science from Berkeley in 2003 where he continues to teach courses. Although his dissertation work involved FPGA architectures, he has been focused on computer security since 2001. Dr. Weaver lives in Berkeley.

Listen as Gary and Nicholas discuss the Spectre vulnerability, botnet attacks, research tech transfer, cryptocurrencies
and
blockchain technology, and more.

Tanya Janca is a senior cloud advocate at Microsoft, where she specializes in software security. Her job involves evangelizing software security and advocating for developers through public speaking. She is also a leader in the OWASP
DevSlop
project and believes in hands-on teaching via workshops and real technical examples. As an ethical hacker, OWASP project and chapter leader, software developer, and professional geek of 20 years, Tanya is fascinated by the "science" in computer science. Previously, she worked as the IT security coordinator for the 42nd general election in Canada. Tanya is also an avid gardener and has been the frontwoman of multiple bands. She holds a computer science diploma from Algonquin College and currently lives in Ottawa.

Listen as Gary and Tanya discuss the transition from development to security, election security, DevOps, and more.

Ron Gula is a co-founder, with his wife Cyndi, of Gula Tech Adventures, a cybersecurity investment fund. He started his security career as a network penetration tester for the NSA. At BBN, he ran US Internetworking's team of penetration testers and incident responders. As the CTO of Network Security Wizards, Ron focused on security monitoring and produced the Dragon Intrusion Detection System. As CEO and co-founder of Tenable Network Security, Ron led the company from 2002 through 2016, scaling to more than 20,000 customers worldwide. He holds a BS in electrical engineering from Clarkson University and an MS in electrical and computer engineering from Southern Illinois University
Edwaresville
.

Elena Kvochko is the CIO for the Group Security Function within a leading financial services organization. Previously she was an information technology manager at World Economic Forum, where she led global partnership programs on cyber resilience and the Internet of Things. She was also responsible for building relationships with information technology industry partners. Elena is the author of numerous articles and has contributed to Forbes, the New York Times, Harvard Business Review, and other media outlets. She is also a member of the Wall Street Journal CIO Network. She holds full CISSP and CEH certifications and has a master’s degree in technology policy from the University of Massachusetts, as well as executive certificates from MIT and Yale. She lives in New York City.

Listen as Gary and Elena discuss security policy, security technology, the role of a CIO, holistic security tactics, the economics of a security breach, and more.

Craig Froelich is the chief information security officer (CISO) for Bank of America. He leads the Global Information Security team responsible for security strategy, policy, and programs. Before moving to Bank of America through acquisition, he was responsible for Countrywide's
cyber security
technology, networks, crisis management, and security operations. Craig has over a decade of experience in product management and application development for software and hardware companies. He also serves on the board of FS-ISAC and the executive committee of BITS. On Twitter, he describes himself as "a SoCal dude learning to be a southern gentleman" as a Los Angeles transplant to Charlotte, North Carolina, where he lives with his family.

Listen as Gary and Craig discuss the role of the CISO in the financial services ecosystem and the newly released 2018 CISO Report.

Bruce Potter is CISO at Expel, where he is responsible for cyber risk and ensuring the secure operation of Expel's services. Previously, Bruce co-founded Ponte Technologies (sold to KeyW Corporation). He then served as CTO at KeyW for 2 years. Before that, Bruce was a security consultant at Cigital. In a seemingly previous life, Bruce founded the Shmoo Group. To this day, he helps run the annual hacker conference ShmooCon. He has co-authored several books, including "802.11 Security," "Aggressive Network Self-Defense," and "Host Integrity Monitoring." Bruce regularly speaks at DEF CON, Black Hat, and O'Reilly Security conferences. He lives in Maryland with his family.

Listen as Gary and Bruce discuss ShmooCon, the state of software security books, network security trends, hacking back, the relationship between preventative security engineering and operational security, DevOps, the CISO role, and more.

Adrienne Porter Felt is a senior staff software engineer within the Chrome Security team where she leads Google's usable security efforts. Dr. Felt focuses on front-end work, building security user interfaces, experimental design, large-scale data analysis, and management. Previously, she was a research scientist on Google's Security Research team. She has also worked as a security consultant at HP Enterprise Security. Dr. Felt earned a Ph.D. in Computer Science from UC Berkley. She also holds a BS in Computer Science from the University of Virginia. She lives in California with her husband, Mark, and young son, Emerson.

Matias Madou is a co-founder and the CTO of Secure Code Warrior, where he provides the company's technology vision and oversees the engineering team. He has over 15 years of hands-on software security experience. Matias was a researcher at HP Fortify and a founder of Sensei Security. He also holds 10 patents and has been very active in technology transfer from the lab to commercial products. He's a sought-after speaker as well, and we're proud of his presence at the 2017 BSIMM Community Conference. Matias holds a Ph.D. in computer engineering from Ghent University and currently lives in Belgium with his family.

Nicole Perlroth covers cybersecurity for the New York Times. Before joining the San Francisco bureau in 2011, she was deputy editor at Forbes where she covered venture capital and web start-ups. Nicole is the recipient of several journalism awards for her reporting on efforts by the Chinese government to steal military and industrial trade secrets. She is currently working on a cybersecurity book, This Is How They Tell Me the World Ends for Penguin/Portfolio (2017). She holds a B.A. in Politics and Near Eastern Studies from Princeton and an M.A. in Journalism from Stanford. She's a native of the Bay Area where she still lives.

Listen as Gary and Nicole talk about life as a cybersecurity journalist, being a woman in the security industry, and playing up the sex appeal of cybersecurity.

Wafaa
Mamilli
is Vice President, Chief Information Security Officer (CISO) at Eli Lilly and Company where she leads a global, enterprise-wide information and product security organization. She started her career consulting in Paris prior to joining Lilly France in 1995. Before being named CISO, Wafaa held several international leadership responsibilities across Lilly, including a stint as Information Officer of their diabetes division.

Born and raised in Morocco, Wafaa also lived in the UK, France, and the Middle East before relocating to Indianapolis, Indiana in 2008. She holds a Master's in Computer Science from INSEA in Rabat, Morocco. She holds another Master's in Business Applications of Information and Technology from Université Rennes 2 in Rennes, France. Additionally, Wafaa holds a General Management Certificate from the London Business School. Most recently, in 2015, she graduated from the Harvard Business School Advanced Management program.

Pavi Ramamurthy manages the security ecosystem at LinkedIn as a Senior Information Security Manager. The Security Ecosystem team holds much of the responsibility for software security at the firm, including software security training, awareness, bug herding, application vulnerability response, program management, and
security
positioning for partners and customers. Pavi has over 20 years of experience in software engineering and development, coupled with 10 years of
hands on
security experience. She has also worked in various capacities at VMware,
Determina
, Vitria Technology, and 3Com. Pavi holds an MS in Computer Engineering from Santa Clara University and she lives in Silicon Valley with her family.

Listen as Pavi and Gary discuss whether a background in development makes you a better software security resource, CI/CD, security testing, the role that office hours play in software security awareness, and more.

Ksenia Dmitrieva-Peguero is a Principal Consultant within Synopsys' Software Integrity Group. She is a subject matter expert in a variety of software security practices including static analysis tool design and execution, customization, and deployment. She is also an expert in the areas of penetration testing and threat modeling. Throughout her career as a consultant, Ksenia has established and evolved secure coding
guidance
and best practices for many different
firms,
and has delivered numerous software security training sessions. She speaks regularly at events around the world on topics such as HTML5, CSP, and JavaScript. Ksenia holds degrees in Education and Computer Science from Clemson University, and an MS in Computer Science from George Washington University. She lives in Virginia with her husband and newborn daughter.

Kelly Jackson Higgins is the Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with over 20 years of experience as a reporter and editor. Publications that Kelly has been associated with include Network Computing, Secure Enterprise Magazine, Communications Week, and more. Kelly's coverage of computer (i.e., cyber) security has led her to be selected as one of the top 10 cybersecurity journalists in the U.S. She holds a BA from the College of William and Mary where she also played on the women's soccer team. She currently lives near Charlottesville, VA.

Listen as Gary and Kelly discuss how to separate fact from fiction when it comes to news in security, changes in security-focused journalism in recent years, social media, security politics, and more.

Cheryl Biswas is a Cyber Security Consultant focusing on threat intelligence at KPMG Canada. Her IT career began over 20 years ago at CP Rail's helpdesk, with further roles in vendor management and change management. She went on to work as an InfoSec researcher at JIG Technologies where she advised her team and clients on security matters and weekly threat intel updates. Cheryl strives to connect people within information security, with a focus on end users. She shares a passion for learning and security by blogging, speaking at conferences, and through her social media presence. Cheryl holds a B.A. in Political Science from York University. She lives in Toronto, Canada with her three kids.

Listen as Gary and Cheryl discuss aligning security to work as a service for the business rather than an imposition for employees, trending
cyber security
political topics, work-life balance, and more.

Kate Pearce is a Senior Security Consultant at Cisco within the Customer Solutions division. In her career, Kate approaches security from diverse perspectives encompassing defenders, builders, assessors, and attackers. Her approach blends business, academic, and assessment contexts with a clear focus on evidence-driven security approaches. Kate holds an MSc and a BSc in Computer Science from the University of Canterbury. A repatriated Kiwi, she currently lives in Wellington, New Zealand with her wife and cat.

Listen as Gary and Kate discuss the state of the software security industry, gender perspectives in the security space, the relationship between biology and security, and more.

Jessy Irwin is Vice President of Security and Privacy at Mercury Public Affairs. Her work focuses on human-centric technology and security. Jessy works tirelessly to make security and privacy accessible to the average person through education and awareness. As an outspoken advocate, she writes and speaks publicly about security research, strong crypto, and security education. She studied Art History and French at Virginia Tech and is now based in San Francisco.

Listen as Gary and Jessy discuss social engineering, security research, and security education and accessibility.

Kelly Lum, a.k.a.
Aloria,
is a Security Engineer at Tumblr and an Adjunct Professor of Graduate Computer Networking and Application Security at NYU. She has 13 years of experience in computer security, having previously worked in both the government and financial services spaces. Kelly is also a frequent speaker on the Black Hat SummerCon Countermeasure circuit where she often focuses on data loss prevention (DLP) and bug hunting.

Lesley Carhart is the Security Incident Response Lead at a large corporation in the Chicagoland area where she and her team work with digital theft, misconfiguration, and hacking issues. She has 17 years of experience in the IT industry, eight of which focus on incident response and digital forensics. Lesley holds a BS in Network Technologies from DePaul University. She is an active writer, speaker, and works as a member of CircleCityCon staff.

Dr. Marie Moe is a Security Researcher at SINTEF and an Associate Professor at the Norwegian University of Science and Technology. She was previously a Team Leader at NorCERT, the Norwegian national CERT, where she managed
incident
response to
cyberattacks
against national critical infrastructure. Marie's recent work focuses on public safety and security systems that impact human life. She is renowned for her work in medical device security; in fact, her own life depends on a pacemaker. She holds a
PhD
in Information Security and an MSc in Industrial Mathematics from NTNU. She lives in Trondheim, Norway with her family.

Listen as Gary and Marie discuss her research and the future of medical device security.

Mike Pittenger is the VP of Security Strategy at Black Duck Software where he is responsible for strategic leadership of security solutions, including product direction and strategic alliances. He has 30 years of experience in technology and business, more than 25 years of management experience, and has spent the past 15 years focusing on security. Mike previously served as VP and General Manager of the product division of @stake. After @stake’s acquisition, he led the spin-out of his team to form Veracode. He later served as VP of the product and training division of Cigital. Mike also works as an independent consultant helping security companies identify, define, and prioritize their security product approaches.

Listen as Gary and Mike discuss open source security including OpenSSL, containerization, and progress being made in the industry.

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and secure engineering. He is also the founder of Brakeman Security which produces a Ruby on Rails security scanner. He is a volunteer and Former Global Board Member of the Open Web Application Security Project (OWASP) and the author of Iron-Clad Java: Building Secure Web Applications. With nearly 20 years of software development
experience,
and over 10 years of application security experience, Jim is a highly sought after speaker on security practices specializing in the notion of building as opposed to breaking.

Listen as Gary and Jim discuss recent developments with static analysis, the relationship between open source and security, programming languages frameworks and how they impact tools, developer training, enterprises moving to the cloud, and island life.

Lance Cottrell is the Chief Scientist at Ntrepid where he works on the Passages product. He founded Anonymizer, Inc. in 1995, which was later acquired in 2008. Lance has been at the cutting edge of Internet privacy, anonymity, and security for over 20 years. He is on the board of the North Bay Angels and is a mentor for SoCo Nexus Sprout. He lives in Sonoma County, California where he also dabbles in winemaking. Listen as Gary and Lance discuss privacy, anonymity, Tor, attribution issues, browser security, geolocation, anonymity tools, and more.

David Nathans is a security professional with Siemens Healthcare where he specializes in medical device security. He has extensive experience in building security operations centers (SOCs) and
cyber security
programs. As the author of Designing and Building Security Operations Center and an original member of the first cyber squadron of the Air National Guard, he has established his place as a leader in the security field. Listen as Gary and David discuss security considerations when designing and building SOCs, the emergence of DevOps, and the progress that's been made between data and security in medical devices over the past decade.

Martin E. Hellman is Professor Emeritus of Electrical Engineering at Stanford University. A graduate of New York University, Martin went on to earn both a Master's degree and Ph.D. in Electrical Engineering from Stanford. He is the author of over 70 technical papers, holder of 12 U.S. patents, co-inventor of public key cryptography, and the 2015 Turing Award recipient. Listen as Gary interviews Martin about his cutting-edge career, involvement in the crypto wars, and his work with nuclear non-proliferation and risk management.

As the Chief Architect for Security Products at NetSuite, Jacob West leads research and development for technology to identify and mitigate security threats. West has over a decade of experience developing, delivering and monetizing innovative security solutions. Prior to his role at NetSuite, he served as the CTO for Enterprise Security Products (ESP) at HP where he founded and led HP Security Research. West is the co-author of Secure Programming with Static
Analysis,
and is a founding member of the IEEE Center for Secure Design. Listen as Gary and Jacob discuss secure design, the critical difference between bugs and flaws and wearable device security.

Gary talks to Jack Daniel, a leading technology community activist, about the evolution of the community-driven BSides Con, changes in the security field over the last decade, and his thoughts on where good security people come from. Jack is currently a Strategist for Tenable Network
Security,
and has over twenty years of experience in network and system administration and security. He also has twenty years of mechanical experience in the automotive domain. Jack co-hosts the Security Weekly podcast and produces the Uncommon Sense Security blog. Listen as Gary and Jack kick things off with the topic of the importance of diverse security communities.

Gary talks to Jamie Butler, a self-proclaimed "coder at heart," about the importance of an offensive security approach, attack patterns and his specialization in rootkit development. Jamie is currently the CTO and Chief Scientist at Endgame where he leads research on advanced threats, vulnerabilities and attack patterns. He has directed vulnerability research teams at a number of prominent companies. Jamie holds
a MS
in Computer Science and has over 17 years of operating system security experience in the government and private sectors. Listen as Gary and Jamie discuss the attribution problem and his research focusing on how to think like a hacker in an effort to turn their work against them with an offensive security stance.

Silver Bullet podcast: Doug Maughan Discusses the Current State Of Cyber Security In the U.S. Department Of Homeland SecurityNovember 2015

Gary talks to Dr. Doug Maughan about scientific research in computer security and its relationship to wider government efforts in security. Maughan is currently the Cyber Security Division (CSD) Director for the Homeland Security Advanced Research Projects Agency. With a Ph.D. in Computer Science and over 10 years of experience working with the Department of Homeland Security (DHS), Maughan focuses his expertise on advancing the state of security technology through the research “valley of death.” Listen as Gary and Doug discuss tech transfer, the relationship between scientific research and government funding, and the widening gap between scientific computer security results and the insufficient computer security measures attempted by the government today.

Gary talks to
Peiter
Zatko, better known as "
mudge
" in hacker and security circles, about the evolution of the L0pht hacker collective and how his work in security influenced key agencies within the U.S. government to ramp up their cybersecurity efforts. During his time as a Program Manager with DARPA,
mudge
worked to fund
much needed
research for the speedy development of technology that would allow the government to protect against
cyberattacks
. From his experience with the L0pht and the Cult of the Dead
Cow,
to federal and commercial tech-industry giants including Google,
mudge
shares his experience and lessons learned along the way.

Gary talks to the Chief Information Security Officer of Qlik, Peter “Pete” Clay, who holds 20+ years of experience in technology growth and its relationship to security from a risk management perspective. Pete brings federal, public, private and start-up insight into the global security space. He shares personal lessons he has learned as a consultant and CISO, and gaps he has identified within the ever-changing security industry. Listen as Gary and Pete discuss the evolution of the CISO role, reactive approaches to security and the potential for cyber warfare.

Gary talks to Cigital's Chandu Ketkar. With 20+ years of experience as a developer prior to getting into security, Chandu brings a unique and enlightened view to software security. Chandu shares his insight into why developers and security experts struggle to get
along,
and offers a solution from the world of economics. He also provides lessons from the healthcare industry and aviation that he believes can improve security processes, particularly when it comes to threat modeling and architecture risk analysis. Listen in for Gary and Chandu's take on threat modeling, risk analysis, the principal-agent paradox, the checklist manifesto and more.

We thought the "crypto wars" were resolved in the late 1990s. But the introduction of encrypted devices -- specifically the release of iOS 8 and the growing number of available encrypted communication channels through public services such as Facebook and Snapchat -- has resurfaced the debate. FBI Director Comey and other law enforcement groups are concerned about what they call "going dark" and are stressing the need for back door access (called extraordinary access). But is this really a good idea? Didn't we already fight this battle during the first crypto wars? Matthew Green and Steve Bellovin, two authors of the recently released Keys Under Doormats paper, discuss the dangerous ramifications of this request.

Has software security actually gotten worse? On the 111th episode of The Silver Bullet Security Podcast, Gary talks with Marcus Ranum, Chief Security Officer of Tenable Network Security. He is the inventor of both the proxy firewall and early-advanced intrusion systems. Gary and Marcus discuss the current state of software security, firewalls, de-
perimeterization
, and hackers. Marcus also shares how he stays on the cutting edge of security and who his biggest influences are. Gary closes the show with an unexpected "dirty, brilliant trick."

On the 110th episode of The Silver Bullet Security Podcast, Gary talks with Paul Dorey, founder of CSO Confidential and Visiting Professor at the University of London. Gary and Paul discuss the modern role of the CSO and the ideal background for a CSO, Paul's biggest win and biggest mistake as a CSO, and the role of building security in as part of a CSO's strategy. They close out the episode with
discussion
of Paul's favorite piece of humorous fiction.

On the 109th episode of The Silver Bullet Security Podcast, Gary is joined by Bart Preneel. Bart is a full professor at the KU Leuven, one of the oldest universities in the world. Gary and Bart discuss the differences in approaches to security between the EU and the US, what the picture of building security
in
looks like around the world, quantum cryptography, and the implications of the Snowden revelations on cryptography. They close out their chat discussing Bart's Dixieland band.

In the 108th episode of the Silver Bullet Security
podcast
, Gary talks with Katie Moussouris, Chief Policy Officer of HackerOne. Gary and Katie discuss her first program (a piece of interactive fiction in the Choose Your Own Adventure category written in Basic), bug bounty programs, how financial services and healthcare firms might approach vulnerability management, breaking versus building (and how to teach breakers to think more like builders), and the challenges of being a woman in security and why Katie dislikes being asked about it. They close out their discussion with some talk of various libations.

L. Jean Camp is a Professor at the Indiana University School of Informatics and Computing. Gary and Jean discuss usability and security, whether users' implicit expectations of security and privacy are enough to move the mobile market, and "old people" and security. They close out their discussion with the most surprising hangover cure and Jean's favorite album of 2014.

Steve Katz is owner and founder of Security Risk Solutions and the "world's first CISO." Gary and Steve discuss the history and evolution of the CISO position, the difficulty of measuring risk in a realistic fashion, how to allocate resources between proactive security engineering and standard network security, triage, and incident response, what it means to be an executive, and the FS-ISAC.

On the 105th episode of the Silver Bullet Security Podcast, Gary talks with the legendary Whitfield Diffie, a pioneer of public-key cryptography. Gary and Whitfield discuss the history of public key cryptography, Diffie's work on the "proof of correctness of programs," and if backdoors into
crypto systems
are a bad idea. They close out by discussing art.

On the 104th episode of the Silver Bullet Security Podcast, Gary chats with Rick Gordon,
Managing
Partner at MACH37. Gary and Rick discuss Rick’s time in the Navy and what it taught him about security, Rick’s lessons learned from his time as CEO of Tovaris, whether the government outside of DARPA understands security engineering, and the drive behind MACH37 the company… and the name. They close out by discussing if Rick is teaching his children to wrestle.

On the 103rd episode of the Silver Bullet Security Podcast, Gary talks with Brian Krebs, reporter
and
blogger at Krebs on Security. Gary and Brian discuss how growing up with a computer affected their future careers in security, MUD vs MAD, why "old media" can't support in-depth security reporting, and why the government continues to be five years behind the security curve. They close out talking about Brian's experience of writing Spam Nation.

On the 102nd episode of the Silver Bullet Security Podcast, Gary chats with Richard Danzig, one time Secretary of the Navy and Board member of the Center for New American Security (among several other things). Gary and Richard discuss Richard's time at the Department of Defense, what he learned when running the US Navy that can be applied to computer security, Richard's recommendations from his important new CNAS report, and how the report is designed to have an impact on policy. They close out their chat with a high-brow art discussion.

Silver Bullet podcast: A roundtable with founding members of the Center for Secure DesignAugust 2014

In the 101st episode of the Silver Bullet Security Podcast, Gary talks with Jim Del Grosso (Cigital), Yoshi Kohno (University of Washington), and Christoph Kern (Google) in a roundtable devoted to the new IEEE Center for Secure Design. The participants discuss the origin of the Center, why design flaws are more difficult to fix than implementation bugs, design flaws in automobile design and how the top 10 most common flaws recently published by the Center for Secure Design were compiled.

After 100 months in a row (over 8 years), the Silver Bullet Security Podcast with Gary McGraw hits its landmark 100th episode. In this
episode
Gary talks live on video with Cigital’s Principals: John Steven, Scott Matsumoto, Paco Hope, Jim DelGrosso and Sammy Migues. The group discusses the state of software security and how its evolved (or has it?) over the last decade. They talk Frameworks and code analysis, mobile security, software security in Europe, the forthcoming IEEE Center for Secure Design, and BSIMM.
Finally
we get to find out who thinks we’re making progress and who doesn’t.

In this episode, Gary talks with Michael Hicks, professor Computer Science at the University of Maryland about the Programming Language Design and Implementation (PLDI) conference, type safety, closure, dynamic languages, why C is problematic, and how Javascript is dangerous. They go on to discuss the role that cryptography plays in security, how ideas from Scrum influence the way Michael runs his research group, CMSC 838G (that is, “Software Security”), and the Build-it, Break-it, Fix-it Programming Contest.

In this episode, Gary chats with Bart Miller, Professor of Computer Science at the University of Wisconsin-Madison and Chief Scientist of the DHS Software Assurance Marketplace Research Facility. Gary and Bart discuss Heartbleed, fuzz testing, his work with Jeff Hollingsworth on dynamic instrumentation of binaries, and the SWAMP project.

In this episode, Gary chats with Aaron Bedra, Senior Manager of Application Security at Groupon. Gary and Aaron discuss how security is viewed by development teams that Aaron has worked with, how a security person could transition into software security, the importance of developing a security culture, and type safety and closure in programming.

In this episode, Gary talks with Nate Fick, CEO of Endgame. Gary and Nate discuss the use of the term "
cyber war
" from the perspective of an ex-Marine, Nate’s time at the Center for a New American Security, the Estonia DDOS attack, and how Nate has turned around the perception of End Game.

In this episode, Gary chats with Ming Chow,
lecturer
at Tufts University School of Engineering’s Department of Computer Science. Gary and Ming discuss whether it’s better to start with security people or people that know how to code already when building new software security professionals. They also talk about what developers currently think of software security, what would make developers more likely to take security seriously, and how Ming uses games to teach security to his students.

In this episode, Gary chats with Yoshi Kohno, Associate Professor of Computer Science and Engineering at the University of Washington, about how much academic security impacts commercial security, car hacking, whether it’s possible to get the media to cover good software security, and helping consumers understand
privacy
implications of popular products’ security designs.

In this episode, Gary chats with Jon Callas, Chief Technology Officer at Silent Circle and all around crypto freedom fighter. Gary and Jon talk about the early days of computing, insanely early computer security, nascent crypto, PGP, Lavabit, Snowden, and what Silent Circle is doing to make secure comms actually work. They also chat briefly about software security and reality.

In this episode, Gary talks with Caroline Wong, Cigital’s Director of Security Initiatives. Gary and Caroline discuss the newly-released BSIMM-V, the concept of “SSI (Software Security Initiative) in a box,” the most successful metrics that Caroline has used throughout her career at eBay and other high-profile firms, and how to increase the number of women in computer science.

In this episode, Gary chats with Mike Reiter, Lawrence M. Slifkin Distinguished Professor in the Department of Computer Science at the University of North Carolina at Chapel Hill. Gary and Mike discuss the differences and similarities between academic research and corporate research, the challenges of teaching computer security, and how to attract more women to the field of software security. They close out their discussion with some talk about mixed martial arts.

In this episode, Gary talks with Christian Collberg, Ph.D., Associate Professor of Computer Science at the University of Arizona. Gary and Christian discuss what drew Christian to teaching Computer Security in the United States after living in several other countries, Christian’s book Surreptitious Software, Christian’s opinions on products that purport to offer software protection on mobile devices, and whether software security students should be taught to think like an attacker. They close out their talk with
discussion
of travel on planet Earth.

Silver Bullet podcast episode: An interview with James WaldenJune 2013

In this episode, Gary chats with James Walden, Ph.D., Associate Professor of Computer Science at Northern Kentucky University. Gary and James discuss the progress being made in the field of software security, why there are plenty of top N lists for bugs but none for flaws, the difficulties of teaching how to fix code, the current generation’s outlook on privacy, and security metrics and measurement.

In this episode, Gary chats with Wenyuan Xu, Associate Professor in the Department of Computer Science and Engineering at the University of South Carolina. Gary and Wenyuan discuss the differences between American and Chinese technical culture, Wenyuan’s work on automatic meter reading systems, whether electrical engineering is more advanced in terms of design than computer science, and why there are so few women in engineering and computer science. They close out the episode with a discussion of tailgating.

In this episode, Gary talks mobile security with two guests—Jim Routh, former global head of application security at JP Morgan Chase (and newly-appointed CSO), and Scott
Matusmoto
, Principal Consultant and head of the mobile security practice at Cigital. All three
discuss challenges
associated with mobile security and how these challenges are exactly the same as
and
different
than software security concerns from past years. Also discussed is
use
of new technologies including accelerometers in enhancing security (or compromising privacy
),
and the effect that massive phone rooting has on security.

In this podcast, Gary chats with W. Hord Tipton, Executive Director of (ISC)2. Gary and Hord discuss how to get into science and engineering when growing up in rural Tennessee, what insight being a nuclear and chemical engineer gives Hord about modern control systems, whether or not certification helps to advance software security, and the benefits of teaching software security to kids.

In this podcast, Gary talks with Mark Graff, CISO at NASDAQ OMX. Gary and Mark discuss what a CISO actually does all day, how corporate security posture at NASDAQ compares to the security posture at Lawrence Livermore National Laboratory, Enrico Fermi and the piano tuners (the “Fermi problem”) and how it relates to estimation, and the most surprising cultural difference between the left and right coasts. They close out their conversation with talk about Mark’s favorite poem from the mid-19th century (and it still has a software security connection!).

In this podcast, Gary talks with Kevin Fu, Associate Professor in the EECS Department at the University of Michigan. Gary and Kevin talk about finding advisors and picking a grad school, the security implications of embedded medical devices, the presence of malware in hospital systems, the consumer trend toward analyzing health data, and the issues associated with teaching design analysis to other humans.

Join the conversation

6 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Fantastic resource for security buffs and anyone who wants to reference topics dealing with best practices for IT regarding security. Looking forward to reviewing some of the shows in my spare time. Thanks Gary!